DocuSign Mobile Apps FAQ
The DocuSign electronic signature app provides consumers and professionals with a simple way to electronically sign and return documents from almost anywhere in the world, using practically any device.
What data is stored on the device?
Android: Generally speaking we store metadata about the envelopes the user has access to, user data, and account data. If the user is using offline functionality and is downloading envelopes to the device for offline use, we store the actual PDFs in that case.
iOS: We store data that is required for envelopes and signing, such as e-mail addresses of senders / recipients, tags, document PDFs, and preview thumbnail images in the device’s Core Data storage. Passwords and tokens are stored in the device’s keychain.
What data is transferred to and from the devices?
Primarily envelope (e.g. documents, tags) user (e.g. e-mails, names, passwords), and account (e.g. names, plans) data is transferred between our backend servers and our mobile apps. We do also support importing documents from third-party sources (e.g. Google Drive) into our mobile apps for the purposes of sending / signing.
How is data transmitted to and from the devices?
Our mobile apps interface with our DocuSign REST APIs over HTTPS to communicate with our backend servers.
Is the data encrypted at rest on the phone?
Android: Yes, user data (name, email, push notification ID, access token, etc) is encrypted at rest. Everything else is unencrypted. Storage on Android is silo-ed, meaning that no other app can access data we store.
iOS: Yes using native OS security/encryption methods, but it only works when the device is password protected.
Can a user or the company do a remote wipe of their data?
Android: The user can always uninstall the app, which would wipe everything. Also if the company is utilizing Android for Work, the AFW administrator can wipe app data remotely.
iOS: Apple has a feature that allows users to remotely wipe their device’s data entirely that users can set up, but we do not currently support remotely wiping specifically just the DocuSign iOS app’s data.
What is the authentication model on the devices?
DocuSign supports standard username / password login with two-factor authentication support. We also support Single Sign On if customers choose to use their own identity provider to manage access to DocuSign.
What happens with the data from an app that connects via SSO when the AD account gets turned off?
Android: Nothing would happen to the app or the mobile device at that time. If the access token and refresh tokens were disabled/expired as the result of this operation, then the user would be logged out the next time they attempt to open or access the app.
iOS: The data for the logged-in user would still be on the device at the time the AD account is turned off. However, if the user were to open the iOS app after that point and the user’s Account Server access / refresh tokens had been forced to expire in the back end, the app would log the user out.
What application and other settings or certificates must be on the devices to connect?
No other application is required. However, administrators who set up SSO may have additional requirements from the identity provider.
What's our formal answer for MDM support?
Android: The Android app supports Android for Work.
iOS: We do not support MDM.